Your Best WooCommerce Promotion Is Also Your Biggest Fraud Exposure
Store Security · Discount Strategy
Your Best Promotion Is Also Your Biggest Fraud Exposure.
A 40%-off campaign attracts customers. It also attracts people who will take that 40% and leave you holding the returns, chargebacks, and farming losses. Understanding the mechanism is the first step toward fixing it.
Most WooCommerce store owners think about discounts and fraud as two separate problems. Discounts are a marketing decision — how much to offer, when to run the sale, how to structure the campaign. Fraud is a security problem — chargebacks, stolen cards, the occasional bad actor to block. Two different conversations, two different toolboxes.
That separation is the source of the blind spot. Promotions are not just marketing — they are also the primary attack surface for WooCommerce fraud. The more aggressive the discount, the larger the surface, and the more profitable the abuse becomes for the people exploiting it.
This post is about that connection: how discounts create fraud exposure, what the mechanisms look like in practice, and the two-layer approach that reduces exposure without forcing you to run weaker promotions.
The short version
- Every WooCommerce promotion creates fraud exposure — the deeper the discount, the more profitable the abuse becomes
- Three mechanisms account for most of the loss: coupon farming, multi-account abuse, and chargeback risk on discounted orders
- A 40%-off code is not just a 40% margin reduction on legitimate orders — it is a 40% subsidy for anyone who plans to return the item, dispute the charge, or cycle accounts
- Layer one is discipline: usage limits, stacking controls, and campaign priority that cap the worst-case exposure on every promotion
- Layer two is detection: behavioral scoring that catches who the promotion attracted and surfaces the patterns before losses compound
- Neither layer replaces the other. Discipline reduces the attack surface; detection catches what still gets through
Why Discounts and Fraud Are the Same Problem
WooCommerce fraud takes many forms — stolen cards, synthetic identities, chargeback fraud on delivered orders. But the fraud that specifically targets WooCommerce stores running promotions is different in character. It is not random. It is incentive-driven, and promotions are the incentive.
Think about what a promotion does from a bad actor’s perspective. A 30% welcome coupon means an attacker who can claim that coupon multiple times (through new accounts, shared codes, or rotated email addresses) extracts 30 cents of margin on every dollar of product value they touch. A buy-one-get-one offer means someone who buys at full price and then disputes the charge has effectively gotten both items for free while you absorb the payment processor’s chargeback fee. A sitewide 40%-off sale with no usage caps means anyone willing to place and return orders is sampling your products at 40% of cost.
None of these scenarios require sophisticated technical fraud. They require only that the attacker understands your promotion mechanics better than your protection controls do. And for stores running frequent, aggressive promotions without usage discipline, that understanding is not hard to come by.
The visibility problem
Promotion-linked fraud is especially hard to catch because successful orders look identical to legitimate ones at the transaction level. The customer paid, the order processed, the product shipped. The loss shows up later — as a return, a chargeback, or a first-order coupon redeemed on what turns out to be a fifth account. By the time the pattern is visible, it has already been running for weeks.
The Three Mechanisms: Farming, Multi-Account, and Chargeback
Three mechanisms account for the majority of WooCommerce promotion-linked fraud. They are distinct in how they work, but they share a common driver: your promotion made the abuse worth the effort.
Mechanism 1: Coupon farming
Coupon farming is the practice of collecting, redistributing, and systematically exploiting promotional codes. It takes several forms in WooCommerce contexts.
The simplest is code sharing: a shopper posts your “WELCOME20” code to a coupon aggregator site, your social media DMs, or a deal forum. You now have hundreds or thousands of non-customers redeeming a code designed for a specific acquisition purpose. The per-use cost scales with virality — a code meant to acquire ten customers can end up subsidizing thousands of transactions you never intended to enable.
The more systematic version is refund farming: a customer claims the coupon, places an order, receives the product, and then requests a refund. You refund the transaction. The customer keeps — or returns — the product. Either way, they extracted the coupon benefit while converting the purchase back to free. At 30% off, a $100 product costs you $30 in discount plus shipping and return processing, and the customer may or may not have actually experienced the product.
Refund farming is most profitable at high discount depths and most common with high-value, easily returnable products (apparel, electronics, beauty). The economics make it obvious: a 10% coupon is barely worth the effort of a return; a 40% coupon makes every returned item a small profit for the customer.
Mechanism 2: Multi-account abuse
Welcome coupons — first-order discounts, new-customer codes, signup bonuses — are designed for a single use per customer. The assumption is that each email address belongs to one person making their first purchase.
Multi-account abuse breaks that assumption. A single person creates multiple accounts using different email addresses, claims the first-order coupon repeatedly, and either keeps the product (extracting the discount at scale) or returns it (extracting it for free). The individual accounts each look like a normal new customer. The pattern is only visible when you can see across accounts — which most WooCommerce stores cannot do at any meaningful scale.
The profitability scales with the coupon value. A $5 first-order discount is not worth the inconvenience of managing multiple email addresses. A $50-off welcome code absolutely is. The higher the value of your acquisition offer, the more you are paying people to farm accounts rather than to actually become customers.
Mechanism 3: Chargeback risk on discounted orders
Chargebacks on discounted orders follow a specific pattern that differs from standard chargeback fraud. With standard chargebacks, the attacker uses a stolen card to place an order and disputes it when the real cardholder notices. With promotion-linked chargeback risk, the issue is more nuanced: legitimate-looking orders placed during high-discount events carry elevated dispute rates because of who the promotions attracted.
The customers drawn in by aggressive discounts include a higher proportion of people with loose purchase intent — buyers who were not sure they wanted the product but were willing to try at 40% off. When those customers dispute, they are not always fraudulent in the traditional sense; they are customers with poor intent who are using the chargeback system as a return mechanism. But the outcome for your store is identical to fraud: you lose the product, you lose the payment, you absorb the dispute fee, and if your chargeback ratio climbs high enough, payment processors penalize you across all transactions.
The connection to promotions is statistical: stores that run frequent, aggressive discounts tend to have higher chargeback rates than stores that discount moderately and selectively. The promotions attract a customer mix that includes more dispute-prone buyers, and that mix shows up in the chargeback data.
A pattern worth recognizing
A WooCommerce apparel store ran a 45%-off clearance event. Orders were up 4x from baseline. Return requests over the following three weeks climbed to 28% of event orders — double their normal return rate. Among the returners, a third had used first-order welcome codes that had been shared publicly on deal sites. The clearance event had attracted legitimate buyers, deal hunters, and refund farmers in roughly equal measure. The store had no way to separate them until the returns had already arrived.
The Math: What a 40%-Off Code Actually Costs When Abused
Stores typically measure campaign cost as the sum of discount line items across successful orders. A 40%-off campaign that generated $50,000 in revenue against $83,333 in standard pricing cost $33,333 in discount. That’s the number that appears in most post-campaign analyses.
The actual cost, when abuse is factored in, is meaningfully higher. Here is the fuller math for a hypothetical $100 product sold with a 40% discount:
| Scenario | What the customer pays | What the store absorbs | Net per transaction |
|---|---|---|---|
| Legitimate buyer, keeps product | $60 | $40 discount on COGS ~$40–$50 | Small margin, intended outcome |
| Refund farmer, returns product | $0 net (refunded) | $40 discount + 2× shipping + return processing + restocking or markdown | $15–$30 net loss per transaction |
| Multi-account, coupon reuse | $60 per account | $40 per coupon issued instead of once | Discount cost multiplied by account count |
| Chargeback after delivery | $0 net (disputed) | $40 discount + $15–$50 chargeback fee + product lost | $55–$90 net loss per transaction |
The legitimate buyer scenario is the one you designed the promotion for. Every other row is a tax on running the promotion without adequate controls. The higher the discount, the larger each of those numbers becomes — because the economics of abuse improve in direct proportion to the savings available.
This is what the phrase “a 40%-off code is a 40% margin hit when abused” actually means. The discount that makes the promotion attractive is also the discount that makes the abuse profitable.
How Discount Depth Scales Fraud Exposure
Not all promotions carry the same fraud exposure. The depth of the discount is the primary variable. Here is a rough mapping of how the risk profile changes as discount depth increases:
| Discount depth | Coupon farming risk | Multi-account risk | Chargeback risk | Overall exposure |
|---|---|---|---|---|
| 5–15% | Low | Low | Near baseline | Low |
| 15–25% | Low–medium | Low–medium | Slightly elevated | Moderate |
| 25–40% | Medium | Medium–high | Elevated | Meaningful |
| 40–50% | High | High | High | Significant |
| 50%+ | Very high | Very high | Very high | Severe |
The table is directional, not precise — your product category, customer base, and promotion structure all affect the actual numbers. But the general shape is consistent: there is a tipping point somewhere around 25–30% where the abuse economics shift meaningfully, and another around 40–45% where they become severe enough to threaten campaign profitability for stores with no abuse controls in place.
The implication is not that you should never go above 25%. Clearance events, seasonal sales, and inventory management sometimes require deeper discounts. The implication is that deeper discounts require proportionally stronger controls to maintain the same effective exposure level. You can run a 40%-off campaign safely — but only if the discipline and detection layers are doing their job.
Layer One: Discipline on the Discount Side
The first layer of fraud reduction is structural. It is about designing promotions that cap the worst-case abuse exposure before the campaign goes live — not as an afterthought, but as part of the campaign architecture.
There are four primary tools available in WooCommerce campaign management.
Usage limits
Usage limits define the maximum number of times a campaign discount can be applied: per customer, and in aggregate across all customers. A campaign with no per-customer limit can be redeemed unlimited times by the same person through different accounts. A campaign with no total usage limit can run indefinitely if the end date is not enforced.
Per-customer limits are the most important for multi-account abuse: they cap what any single account can extract. Total limits are a safety net for coupon sharing and virality: they ensure that even if a code escapes into the wild, the total damage is bounded.
In Smart Cycle Discounts, the per-customer usage limit (usage_limit_per_customer) is a Pro feature — it requires a Pro license to configure per-campaign. The total usage limit for code-gated campaigns (usage_limit_global) is available in free. The distinction matters for how you prioritize controls if you are on the free tier.
Stacking controls
Stacking happens when a campaign discount and a WooCommerce native coupon apply simultaneously at the cart. By default in WooCommerce, they stack — there is no automatic mutual exclusion. A 20%-off campaign discount plus a 15%-off coupon code does not give the customer 20%; it gives them roughly 32%, because both discounts apply in sequence.
Stacking is not inherently wrong — sometimes you want it. But unintentional stacking is one of the most common sources of margin loss during promotions, and it is entirely preventable. Smart Cycle Discounts Pro lets you configure a combination policy per campaign: whether the campaign discount should be compatible with WooCommerce coupon codes, or mutually exclusive. Free users have coupons enabled by default and cannot restrict that behavior at the campaign level. If you are running a campaign on the free tier and you have active coupon codes in your WooCommerce library, you should be aware that those codes will stack unless you manually deactivate or restrict them through WooCommerce’s coupon settings.
For a deeper look at exactly how campaign discounts and native coupons interact at the cart — including auto-apply versus code-gated scenarios — the post on WooCommerce discount stacking with coupons and campaigns covers the mechanics in full.
Campaign priority
Campaign priority (1–5 in Smart Cycle Discounts, where 5 is highest) determines which campaign wins when multiple active campaigns affect the same product. High-priority campaigns do not stack with lower-priority ones — the higher-priority discount applies and the others do not. This prevents unintentional discount compounding when you are running several campaigns simultaneously.
Priority is a free feature in Smart Cycle Discounts. Every campaign should have an explicitly set priority; leaving campaigns at the default level means their interaction behavior is undefined and depends on activation order.
Scheduling precision
A campaign that ends automatically at its scheduled time cannot be extended by a late-arriving customer or by a code that circulates after the sale ends. Hard end dates are the simplest form of abuse containment for time-limited offers. A sale that runs indefinitely because nobody remembered to turn it off is a sale that accumulates abuse indefinitely.
The pre-launch discipline checklist
Before any campaign goes live, verify four things: per-customer usage limit is set (or total usage cap is in place), combination policy is intentional (do you want coupon stacking or not?), priority is explicitly configured relative to other active campaigns, and the end date is hard-set. These four controls reduce your worst-case abuse exposure before the first order arrives.
Layer Two: Detection on the Fraud Side
Discipline reduces the attack surface. It does not eliminate it. Even a well-structured campaign will attract some customers who abuse it, and the promotion controls described above cannot catch patterns that only become visible over time — a customer whose refund rate climbs over multiple orders, or a set of linked accounts that each stay just under the per-customer limit.
Detection is the second layer: behavioral monitoring that accumulates evidence across a customer’s full history and surfaces the patterns that promotion controls cannot prevent.
What behavioral detection watches for
TrustLens, Webstepper’s customer trust scoring plugin for WooCommerce, runs eight detection modules in the background of every WooCommerce store. The Coupon Abuse Detection module is specifically designed to surface promotion-linked fraud. It tracks three signals across every customer’s order history.
The first signal is the coupon-then-refund pattern. TrustLens increments a counter each time a refund is processed on an order where a coupon was applied. The counter persists across the customer’s full history — a pattern that develops over six months is still visible and still accumulates. Penalties scale with repetition: one event applies a −5 trust score adjustment; two events apply −15; three or more apply −25 and trigger an “abuse pattern” label on the customer profile.
The second signal is first-order coupon reuse. TrustLens identifies a coupon as first-order type if its code contains strings like first, welcome, new, signup, or register, if it carries a usage limit of exactly one per user, or if a store owner has tagged it explicitly. When a first-order coupon is used in combination with a coupon refund event on the same customer profile, TrustLens applies an additional −10 penalty — the combination signals claimed new-customer status plus extracted value via refund.
The third signal is high coupon usage rate. Once a customer has five or more orders, TrustLens evaluates what percentage of those orders used a coupon code. A rate of 80% or higher across five or more orders triggers a −10 adjustment. The five-order minimum prevents false positives from new customers who happened to use two codes early in their history.
Every signal, counter, and score adjustment is visible on the customer’s TrustLens profile page — the raw numbers, the contribution to the overall trust score, and a timestamped event log of every coupon use and refund. You do not need to run a spreadsheet audit after each promotion to find these patterns; TrustLens assembles the picture continuously as orders arrive.
For the full technical detail on how TrustLens’s Coupon Abuse Detection module calculates these penalties and what the free version provides versus what Pro adds, the dedicated post on how TrustLens detects WooCommerce coupon abuse covers the mechanics exhaustively.
The multi-account layer
The most systematic form of coupon fraud — cycling multiple accounts to claim first-order codes repeatedly — is invisible to per-account coupon detection. Each account stays clean. The abuse is only visible when you can see across accounts.
TrustLens’s Linked Accounts Detection module cross-references customers by hashed shipping address, billing address, phone number, IP address, payment method, and device fingerprint. When accounts share these signals in combinations that suggest they belong to the same person, TrustLens totals the first-order coupon counts across the group. If that combined total exceeds the configured threshold (two by default), TrustLens logs a multi_account_coupon_abuse event and queues a score update.
This is what makes multi-account detection meaningful at a practical level: it connects the per-account coupon history that looks normal to the cross-account pattern that is not. On Free, that signal is surfaced for your manual review. On Pro, you can configure an automatic checkout block when the linked-account coupon abuse pattern is confirmed.
Free vs Pro: where the line sits
Every detection mechanism described above — the coupon-then-refund scoring, first-order coupon tracking, high usage rate penalties, the positive adjustment for legitimate coupon users, the linked-account coupon totaling — ships in the free version of TrustLens. No scoring paths are locked. No modules are trial-limited.
What Free does not do is act on that scoring automatically. TrustLens Free adjusts trust scores and surfaces signals on customer profiles. You review the profile and decide what to do. Pro adds the ability to act automatically: blocking checkout when a linked-account coupon abuse pattern is confirmed, and building automation rules that trigger on coupon behavior thresholds. The distinction is accurate data (Free) versus automated response (Pro).
What detection cannot do
Behavioral detection works backward: it identifies patterns after enough order history has accumulated to make them statistically meaningful. TrustLens requires a minimum number of orders before some signals activate (five orders for the high coupon usage rate signal; the chargeback and returns modules have similar thresholds). A very new customer exploiting a first-order code on their first and only transaction may not trigger the same depth of signal as a serial abuser with a long history. Detection complements discipline — it does not replace it.
Why Both Layers Are Necessary
Discipline and detection address different parts of the fraud exposure problem. Neither one is sufficient on its own, and they become substantially more effective when they operate together.
Discipline without detection leaves you blind to the customers who got through. You set usage limits and stacking controls, your campaign runs cleanly by the numbers, and you have no idea that a subset of the customers it attracted are now on their second accounts planning to claim the welcome code again, or that a handful of promotion-acquired customers are showing early refund-farming behavior that will compound over the next six months.
Detection without discipline gives you excellent visibility into fraud that you could have prevented. You watch the coupon-then-refund counters climb, see the linked-account flags accumulate, and make manual reviews of customers who should never have been able to extract that much margin in the first place. Detection tells you what happened; discipline is what would have limited the damage.
The stores that handle this well use both. They design promotions with hard controls — usage caps, explicit stacking policies, enforced end dates — so that the worst-case exposure is bounded before the campaign launches. And they run behavioral scoring in the background so that the customers who get through those controls accumulate a behavioral record that surfaces them for review or automatic action before losses compound.
That is the practical shape of the two-layer answer: Smart Cycle Discounts handles the discipline side — campaign structure, usage limits, stacking controls, priority management. TrustLens handles the detection side — coupon abuse signals, multi-account cross-referencing, trust score accumulation, and behavioral flags. The two are designed to operate as a complementary stack. The post on how Smart Cycle Discounts and TrustLens work together to close the discount fraud loop covers the integration in full, including which specific abuse scenarios each layer addresses and where the handoff between them sits.
Understanding the connection between discounts and fraud does not mean running fewer promotions. It means running them with both layers in place — so the 40%-off campaign you needed to clear inventory does not become the 40%-off subsidy program for people who had no intention of becoming customers.
Frequently Asked Questions
Does Smart Cycle Discounts prevent coupon stacking on the free plan?
Not at the campaign level. Free users in Smart Cycle Discounts have coupons enabled by default for all campaigns, and the combination policy control that allows you to set a campaign as coupon-exclusive requires a Pro license. On the free plan, the most practical workaround is to set expiry dates and usage limits on any WooCommerce native coupon codes that could stack with active campaigns, and to use WooCommerce’s coupon exclusion settings directly. Smart Cycle Discounts Pro gives you explicit per-campaign control: you choose whether a given campaign allows or excludes coupon stacking.
Is a per-customer usage limit the same as a total usage limit?
No. A per-customer limit caps how many times a single account can redeem the discount. A total (global) usage limit caps the cumulative redemptions across all customers. Both serve different purposes. A per-customer limit of 1 means each account can use the promotion once — but if someone creates five accounts, the limit resets each time. A total limit of 500 means the promotion ends after 500 redemptions regardless of who placed them. For multi-account abuse, the per-customer limit delays the attacker; the total limit bounds the aggregate exposure. Using both together gives you the strongest protection.
Does TrustLens automatically block customers who show coupon abuse signals?
Not in the free version. TrustLens Free adjusts the customer’s trust score, surfaces the behavioral signals on their profile, and builds a timestamped event log of every coupon use and refund. You review the profile and decide whether to block, flag, or monitor. TrustLens Pro can automatically block checkout when a confirmed linked-account coupon abuse pattern is detected — but that requires a Pro license and an explicit settings toggle to activate. The free version gives you the data; Pro gives you automated responses to that data.
At what discount depth does fraud risk become meaningful?
There is no universal threshold — product type, audience, and promotion structure all affect the actual risk level. That said, the economics of refund farming and multi-account abuse shift meaningfully around 25–30%: below that level, the effort of abuse rarely pays off for the attacker; above it, the returns from systematic exploitation become worth the work. Promotions above 40% carry significant risk without compensating controls, particularly for high-value, easily returnable products in categories like apparel, electronics, or beauty. The key variable is not just the discount depth but what controls you have in place at that depth.
Can TrustLens detect coupon abuse from guest checkouts?
Yes. TrustLens identifies customers by a hash of their email address, so guest checkouts are tracked the same way as registered accounts. The linked account detection modules also apply to guest customers — a guest and a registered account sharing shipping address, IP, or payment fingerprints can still be flagged as linked. The limitation is when a bad actor uses a genuinely new email address for each transaction, at which point the behavioral connections depend on the other fingerprint signals rather than email alone. For stores running first-order coupons that guest customers can claim, this is worth keeping in mind: the per-email tracking works, but systematic address rotation reduces its effectiveness.
How do I know if my current promotions are attracting abusive customers?
The clearest early signals are return rate by acquisition source, coupon-then-refund patterns in your order data, and account creation spikes during or immediately after a promotion launch. If your post-promotion return rate is significantly higher than your baseline (more than 1.5x is worth investigating), the promotion attracted more try-and-return buyers than expected. TrustLens’s Historical Sync can build trust profiles from your existing order data, giving you a retroactive view of which customers your previous promotions attracted and which of them are now showing abuse signals — without waiting for new orders to accumulate.
The promotion is working. Make sure you know what it is working for.
A campaign that drives 300 new orders in 48 hours is easy to celebrate. The harder number to track is how many of those 300 customers were the ones you designed the promotion for — and how many were attracted by the discount itself, with no intention of becoming repeat buyers, loyal customers, or anything other than a transaction that extracted value from your store.
The two-layer approach does not make promotions smaller. It makes them more defensible. Discipline on the discount side means you launch with bounded exposure: usage caps, stacking policy, priority, and hard end dates in place before the first order arrives. Detection on the fraud side means the customers who slip through those controls accumulate a behavioral record that surfaces them before the losses have compounded for months.
You do not need to abandon aggressive discounting to run safer promotions. You need both layers working together — so that the discount you needed to move inventory, acquire a new cohort, or clear a slow season does exactly that, without funding the abuse patterns that travel alongside every high-value promotion.
If you are building out those layers, the post on when WooCommerce discounts attract the wrong customers covers the customer quality dimension — who your promotions actually bring in, how to measure it, and how to design campaigns that filter rather than just attract.
Put both layers in place
Smart Cycle Discounts handles the discipline side — usage limits, stacking controls, campaign priority, scheduled end dates. TrustLens handles the detection side — coupon abuse signals, multi-account cross-referencing, and behavioral trust scoring. Both are free to start.
